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ABSTRACT. This paper presents a practical digital signature scheme to be used in conjunction with network 
coding. Our scheme simultaneously provides authentication and detects malicious nodes that intentionally 


corrupt content on the network. 


1. INTRODUCTION 


Following the important work of Ahlswede et al 
and Li et al ([ACLY00, CLY03]), network coding 
([CJW03, CJLO5, GRO5]) has been established as a 
viable alternative to the store and forward mecha- 
nisms used in peer-to-peer networks. However, net- 
work coding is inherently vulnerable to pollution 
attacks by malicious nodes in the network. The pol- 
lution of packets spreads quickly since the output of 
(even an) honest node is corrupted if at least one 
of the incoming packets is corrupted. The question 
of how to prevent pollution attacks in the network 
coding scheme remained open and was the subject of 
the paper by Krohn et al [KFM04] in the generalized 
setting of rateless erasure codes (see also [GR06]). 
They show that a construction based on homomor- 
phic hashing works to detect the polluted packets. 
This scheme, however, assumes that there is a sep- 
arate secure channel which is used to transmit the 
hash values of the packets to all the nodes. 


In this paper we propose a different solution to the 
problem of detecting pollution attacks. We design 
a new homomorphic signature scheme for use with 
network coding. The homomorphic property of the 
signatures allows nodes to sign any linear comination 
of the incoming packets without contacting the sign- 
ing authority. At first glance one might think that 
this is a weakness of the signature scheme. This is 
not so, in our scheme it is computationally infeasi- 
ble for a node to sign a linear combination of the 
packets without disclosing what linear combination 
was used in the generation of the packet. Further- 
more, we can prove that the signature scheme is se- 
cure under well known cryptographic assumptions of 
the hardness of the Discrete-Log problem and the 
computational co-Diffie-Hellman problem on elliptic 
curves. Our scheme has a three-fold advantage over 
the scheme based on homomorphic hashing: Firstly, 


we do not need to securely transmit hash values of 
the packets that the source transmits; secondly, since 
our scheme is based on elliptic curves smaller security 
parameters suffice and this translates to improved ef- 
ficiency since the bit lengths involved are smaller; fi- 
nally, our scheme provides authentication of the data 
in addition to detecting pollution of packets. 


2. BACKGROUND ON ELLIPTIC CURVES 


In this section we briefly review some facts about 
elliptic curves over finite fields, the reader should 
consult Chapters III and V of [Sil86] for proofs of the 
number theoretic claims. 


Let F, be a finite field where q is a power of a prime 
relatively prime to 2 and 3. An elliptic curve FE over 
F, (sometimes abbreviated as E'/F,), is a projective 
curve in P?(F,) given by an equation of the form 





¥?Z = X°2+AXZ? + BZ 


with A,B € F, and 4A? + 27B? #0. The curve has 
two affine pieces: the piece with Z 4 0 has the affine 
form y* = x? + Ax + B (obtained by setting x = 4 
and y = e): and the piece with Z = 0 which has 
only one (projective) point namely (0 : 1: 0) which 
we denote O. Let K be a field (not necessarily finite) 
that contains F,, the set 


E(K) ={(a,y)€ Kx K:y?=23+ Art B} 
U{O} 


can be given the structure of an abelian group with 
O as the identity of the group. Moreover, the group 
operations can be efficiently computed. In particular, 
if P and @ are points on EF with coordinates in Fy, 
then P + Q and —P can be computed in O(log'** q) 
bit operations for any € > 0. Hasse’s theorem gives a 
tight estimate for the size of the group E(F,): 


qt+1-2/¢ < #E(F,) <qt+1+2yV@ 


The Schoof-Elkies-Atkin algorithm (([BSS99] Chap- 
ter VII) is a deterministic polynomial time algorithm 
that computes #E(F,). 


2.1. The Weil pairing. Let E/F, be an elliptic 
curve and let F, be an algebraic closure of Fy. If 
m is an integer such relatively prime to the charac- 
teristic of the field F,, then the group of m-torsion 
points, E[m] = {P € E(F,) : mP = O}, have the 


following structure: 
E|m] = Z/mZ x Z/mZ. 


There is a map e,,, : E[m] x E[m] — F, with the 
following properties: 
(1) The map e,, is bilinear: 


en (Si a So, T) 4 e(S1, T )e(So, T) 
em(S,T1 + Tz) = e(S, Ti)e(S, Ta). 


(2) Alternating: e,,(7,T) = 1 and so e,,(T,S) = 
(8,7) *: 
(3) Non-degenerate: If e,,(S,T) = 1 for all S € 
E|m] then T = O. 
Let E'/F, be an elliptic curve such that the m-torsion 
points on & have coordinates in F,. Then there is a 
probabilistic algorithm that can evaluate e,,(S,7T) in 
O(log?** q) bit operations for all $,T in E[m]. If it 
is clear from the context we may drop the subscript 
m when writing e,,. The algorithm for computing 
€m was proposed by Miller in [Mil86]. See the pa- 
per by Eisentrager et al ([ELM04]) for a description 
of Miller’s algorithm and also a deterministic variant 
for computing the square of the Weil pairing. 





3. THE SIGNATURE SCHEME 


3.1. Network Coding. We briefly describe the 
standard network coding framework for content dis- 
tribution ([CJW03, GR05, CJL05}). Let G = (V,E) 
be a directed graph. A source s € V_ wishes 
to transmit some data to a set JT C V of the 
vertices. One chooses a vector space W/F, (say 
of dimension d), where p is a prime, and views 
the data to be transmitted as a bunch of vec- 
tors w1,::-,wr € W. The source then creates 
the augmented vectors v1,--: ,V,% by setting v; = 
(0,--- ,0,1,--- ,0,wi1,--+ , Wig) where w,; is the j-th 
—$S =_—’” 

t—1 zeros 

coordinate of the vector w;. One can assume without 
loss of generality that the vectors v; are linearly inde- 
pendent. We denote the subspace (of FS*“) spanned 
by these vectors by V. Each outgoing edge e € E 
computes a linear combination, y(e), of the vectors 


entering the vertex v = in(e) where the edge origi- 
nates, that is to say 


f: out(f)=v 
where m-(f) € Fp. We consider the source as hav- 
ing k input edges carrying the k vectors w;. By in- 
duction one has that the vector y(e) on any edge 
is a linear combination y(e) = >>, <;<, gi(e)vi and 
is a vector in V. The k-dimensional vector g(e) = 
(gi(e),-:: ,9x(e)) is simply the first k-coordinates of 
the vector y(e). We call the matrix whose rows are 
the vectors g(e1),--- ,g(ex), where e; are the incom- 
ing edges for a vertex t € T, the global encoding ma- 
trix for t and denote it G;. In practice the encoding 
vectors are chosen at random so the matrix G; is in- 
vertible with high probability. Thus any receiver, on 


y(e) = me(f)y(f) 


receiving y1,°°: ,yx can find wj,--- , wx by solving 

/ 

Y1 wi 
/ 

¥2 W2 
| =Giel . |, 
/ 

Yk Wk 


where the y; are the vectors formed by removing the 
first k coordinates of the vector y;. 


3.2. The homomorphic signature scheme. Let 
p be a prime number and q a power of a differ- 
ent prime with p < q. Let V/F, be a vector 
space of dimension d+ k and let E/F, be an elliptic 
curve such that R,,--- , Ry, Pi,--- , Pa are (distinct) 
points of p-torsion on E(F,). We can define a func- 
tion hr,.....R,,P\,-,P, 2 V - E(Fq) as follows: for 
Vv = (U1,°°* Uk, U1,°+* » Ud) EV 


PR ResPrePal¥) = > uy Ry + DP. 
j 3 














The function hp, .... .R,,P,,---,P, 18 a homomorphism 
(of additive abelian groups) from the vector space V 
to the group E[p] of p-torsion points on the curve. 


Suppose the server wishes to distribute the aug- 
mented vectors v1,---,vx € V. The server chooses 
$1,°** ,8, and 7r1,--- ,7q which are secrets in F,, then 
signs the packet v; by computing 
Bi = As, Ry, ,8¢ Rest Pry raPa(Vi)- 

The server also publishes Ri,--- , Rx, Pi,--- , Pa, Q, 
s;Q for 1 < 7 < k and r,Q for 1 <1 <d. Here 
Q is another point of p-torsion on the elliptic curve 


distinct from the others such that e,(R;,Q) 4 1 and 
e,(Pi,Q) Al forl<j<kand1l<i<d. 


This signature ; is also appended to the data v; and 
transmitted according to the distribution scheme. 
Now, at any edge e that computes 


S>ome(f)y(f) 


f:out(f)=in(e) 


y(e) 


we also compute 


h(e) 


> 


f:out(f)=in(e) 


me(f)b(f) 


and transmit h(e) together with the data y(e). Since 
the computation of the signature h(e) is a homomor- 
phism, we have that if y(e) = }°; aiv; then 


h(e) = Ds ahi. 


Next we describe the verification process. Suppose 
y(e) = (uy,-++ , Ux, V1,°°* , Va) we check whether 


I] es ®i.5Q) [] e(iPs.riQ) = e(b(e), Q). 


1<j<k 1<i<d 


This works because if h(e) is the legitimate signature 
of y(e) then by definition 


h(e) = S- ujs;Rj + S- wUrif,, 


1<j<k l<i<d 
thus 
e(h(e), Q) = e( S- ujsjyRj + S- vitiP;, Q) 
1<j<k 1l<i<d 
= [J e(ujs;R;,Q) I] e(iriP,,Q) 
1<j<k 1l<i<d 


(by bilinearity) 
I] e(®i.8:Q) [] euiPs.riQ) 


1<j<k 1si<d 


(again, by bilinearity). 


The verification cruicially uses the bilinearity of the 
Weil-pairing. Note that all the terms in the above 
verification can either be computed from the vector 
y(e) or from the public information. 


The signature is a point on the elliptic curve with 
coordinates in F,. Thus the size of the signature 
is 2logq bits (which is some constant times log(p) 
bits, depending on the relative size of p and q), and 
this is the transmission overhead. The computa- 
tion of the signature h(e) at each vertex requires 
O(din log plog'** q) bit operations, where din, is the 
in-degree of the vertex in(e). The verification of a 
signature requires O((d + k) log’** q) bit operations. 
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4. PROOF OF SECURITY 


We preserve the notation of the previous section 
here. To thwart the signature scheme an adversary 
can either produce a hash collision for the function 
Ns, Riv 584 Resr1 Py, sraP, OF he can forge the signature 
such that the verification goes through. Note that in 
this situation the adversary has no knowledge of the 
points s,R1,---,s,R, and 1P--- ,rqPa. We first 
show that even if the adversary knew these points, 
producing a collision is still as hard as computing 
discrete logs. We make the claim precise next: 


Problem: HASH-COLLISION. 

Fix an integer r > 1. 

Input: Given P,,--- ,P,, points on an elliptic curve 
E/F, contained in a cyclic subgroup of prime order 


Tuples a (a1,°°° 
--+ ,b,) € F), such that a # b and 


SS a= SS BP pe 


1<i<r 1<j<r 


, ar), b 


Proposition 4.1. There is a polynomial time reduc- 
tion from Discrete Log on the cyclic group of order p 
on elliptic curves to HASH-COLLISION. 


Proof : First we treat the case when r = 2. Let P 
and Q be points of order p on E(F,) that are not the 
identity. Assume that Q lies in the subgroup gener- 
ated by P. Our aim is to find a such that Q = aP. To 
this end we apply the alleged algorithm that solves 
HASH-COLLISION to the points P and Q. The algo- 
rithm produces two distinct pairs (a,y),(u,v) € F% 
such that 


aP+yQ=uP+4+vQ. 


This gives us a relation (2 — u)P + (y—v)Q = O. 
We claim that s 4 u and y # v. Suppose that x = u, 
then we would have (y — v)Q = O, but Q is a point 
of order p (a prime) thus y— u =0 mod p in other 
words y = v in F,. This contradicts the assumption 
that («,y) and (u,v) are distinct pairs in F?. Thus 
we have that Q = —(x — u)(y — v)~!P, where the 
inverse is taken modulo p. 


If we have r > 2 then we can do one of two things. 
Either we can take P, = P and P2 = Q as before and 
set P; = O for i > 2 (in this case the proof reduces 
to the case when r = 2), or we can take P; r1P 
and P; = r;Q where r; are chosen at random from Fp. 
We get one equation in one unknown (the discrete log 
of Q). It is quite possible that the equation we get 


does not involve the unknown. However, this hap- 
pens with very small probability as we argue next. 
Suppose the algorithm for HASH-COLLISION gave us 
that 


ary; P+ DD briQ = O. 


2<i<r 


Then as long as )¢5-;<,biri F 0 mod p, we can 
solve for the discrete log of Q. But the r;’s are un- 
known to the oracle for HASH-COLLISION and so we 
can interchange the order in which this process oc- 
curs. In other words, given b;, for 2 <i<_r, not all 
zero, what is the probability that the r;’s we chose 
satisfy )7,<,;<, bir; = 0? It is clear that the latter 
probability is = Thus with high probability we can 
solve for the discrete log of Q. 














One can also conclude the above proposition from 
the proof presented in [BGG94] (see Appendix A of 
that paper). The proof in that paper deals with finite 
fields but the argument applies equally well to the 
case of elliptic curves. 


We have shown that producing hash collisions in our 
scheme is difficult. The other method by which an ad- 
versary can foil our system is by forging a signature. 
Our scheme for the signature is essentially the Aggre- 
gate Signature version of the Boneh-Lynn-Shacham 
signature scheme [BLS04]. In that paper it is shown 
that forging a signature is at least as hard as solving 
the so-called computational co-Diffie-Hellman prob- 
lem on the elliptic curve. The only known way to 
solve this problem on elliptic curves is via computing 
discrete-logs. Thus forging a signature is at least as 
hard as solving the computational co-Diffie-Hellman 
on elliptic curves and probably as hard as computing 
discrete-logs. 


5. SETUP OF THE SCHEME 


We preserve the notation of section §3 here. To ini- 
tialize the signature scheme we need to pick a prime 
p and an elliptic curve over a field such that all its 
p-torsion is defined over that field. We also need to 
produce the collection of p-torsion points needed to 
define the homomorphic signature. In this section we 
discuss all these matters and provide an example. 


We describe the outline of the steps below and then 

describe the steps in detail: 

(1) Pick a large prime and call it p. 

(2) Pick a suitable prime ¢ (described in §5.1)and an 
elliptic curve F over F¢ such that the number of 
points #E(F,) is a multiple of p. 


(3) Find an extension F, of the field Fy such that 
E|p| C E(F,) (here E[p] refers to the set of all 
p-torsion points). 

Since #E(Fr) = 0 modp it has p-torsion 
points. Let O 4 P € E(F,) be a p-torsion point 
on the curve. Take R; = a;P for 1<i<k and 
P; = 6;P for 1 < j < d where a; and 0; are 
picked at random from the set 1,--- ,p—1. 
One of the requirements of our scheme is that Q 
be a point such that e(R;,Q) 4 lande(P;,Q) 4 
1. To ensure this, we claim that it suffices to pick 
a point of p-torsion that is defined over Fy but 
not over the smaller field Fe. Indeed, let Q@ be 
such a point. Then if e(R;,Q) = 1, this would 
imply that e(A,B) = 1 for any A,B € Efp| 
(since R; and Q generate E[p]), which contra- 
dicts the non-degeneracy of the Weil-pairing. 
Finally, we pick the secret keys s),--- ,s, and 
,Ta at random from es 


(4 


a 


— 
ol 
wa 


(6 


na 


Tige se 


5.1. Finding a suitable elliptic curve. In gen- 
eral, if we have an elliptic curve F over a finite field 
K, then the p-torsion points are defined over an ex- 
tension of degree O(p?) of the field K (see [CLO05] 
Lemma 2.2). It is crucial for our scheme to have the 
p-torsion points defined over a small degree exten- 
sion field so that the operations can be carried out 
in polynomial time. In this section we discuss how 
one can pick a suitable field Fe and an elliptic curve 
over this field that has all its p-torsion defined over a 
small degree extension field. 


In the following paragraph we describe a construc- 
tion that allows one to find an elliptic curve defined 
over a finite field Fg such that the entire p-torsion 
is defined over Fyz. Such curves are said to have 
embedding degree 2 (the construction we give also 
generalizes nicely to produce other embedding de- 
grees). We note that the MOV attack reduces the 
discrete-log problem on the p-torsion of such curves to 
the discrete-log problem in the multiplicative group 
of the finite field Fj2. Thus, for security considera- 
tions one needs to take the embedding degree k to be 
large enough so that the finite field produced by the 
MOV attack is of cryptographic size. For a detailed 
discussion of these issues we invite the reader to see 
[MOV93, MNTO1, BLS02] and also the book [BSS99]. 


The method we describe below, we believe, is the 
method of Cocks and Pinch [CP01]. However, since 
there does not seem to be a published description of 
the method we find it convenient to include a detailed 


description here. 


The theory of complex multiplication of elliptic 
curves can be used to generate elliptic curves over 
a finite field with a certain number of points on 
them. The algorithm to do this is described in many 
sources [LL90, ALV02, AtMor93, Sch85]. The details 
of the algorithm are not necessary for our purposes, 
but its running time is important, so we describe it 
next. 


Suppose we wish to produce an elliptic curve E/Fe 
(where @ is a prime) that has exactly N points, where 
N lies in the interval 0+ 1—2V0 < N < £4+1+2V¢. 
Write N as €+ 1—¢t and set Dy? = t? — 4@, where 
D or D/4 is squarefree (note that D is negative be- 
cause of the Hasse bound). Then the algorithm to 
produce such a curve runs in time |D|O“. In our 
case, we seek an elliptic curve with N equal to a 
small multiple of p. This tells us that the field Fy 
over which we should look for such a curve must have 
041-20 < mp < €4142Vé. The other requirement 
is that ¢? — 4€ should have a small squarefree part, 
since this determines the running time of the method 
to generate such a curve. We pick a prime @ such that 
4€ = 4p? — Dy? for a small (negative) D. We also 
require! 2 = —1 mod p, and we set t = 2p. Thus 
€+1-t=+4+1-2p=0 mod p, and so the number 
of points on the elliptic curve will be a multiple of p. 
The time to produce such a curve will also be reason- 
able since |D| is small. To produce such a prime £, we 
pick a (negative) D (with |D| small) and check to see 
if (p? — De) is prime for y = 0,1,---. Since we are 
only interested in primes which are congruent to —1 
mod p, we perform the above check only for those 
values of y such that —Dy? = —4 mod p. A conjec- 
ture of Lang-Trotter ([LTr76]) tells us that there will 
be many values of y that yield a prime. This is also 
related to a conjecture of Hardy-Littlewood on the 
prime values of quadratic polynomials. 


Now the complex multiplication method produces for 
us an elliptic curve E over Fy that has some p-torsion 
points. However, we need an elliptic curve such that 
E|p] is defined over a small degree extension of Fy. 
This is where the additional constraint that @ = —1 
mod p is used. Since £= —1 mod p the order of @ in 
Fy, is 2. Now a theorem of Koblitz- Balasubramanian 
(see [BK98], Theorem 1) shows that in this case the 
entire p-torsion is defined over a degree 2 extension 
of the base field, in other words E[p| C E(Fy2). Now 


we have an elliptic curve E/Fe and we know that it 
has all its p-torsion defined over Fy2, but how do we 
find these points? This is the subject of the next 
paragraph. 


Remark 5.1. We remark that the theory of complex 
multiplication tells us that, for each D, there is a fi- 
nite list of elliptic curves E),--- , EH, over some num- 
ber field K such that EF; mod ¢ satisfies our require- 
ments. This is illustrated in the example in Appendix 
A. 


5.2. Finding the p-torsion points. Let E/F, be 
the elliptic curve found using the method given above. 
Then #E(Fe) = €+1- 2p. Let m be the largest 
divisor of #E(F,¢) that is relatively prime to p. Let P 
be a random point on the curve E(F;). If mP 4 O, 
then mP is a non-trivial point of p-power torsion 
(by Lagrange’s theorem). Let i > 1 be the smallest 
integer such that mp’P = O but mp’-!P # O. Then 
mp'—'P is a non-trivial p-torsion point. Of course, if 
mP = O, we restart with another random point P. 
The probability that mP = O for a random point P 
is at most 4, so we will find a non-trivial p-torsion 
point with very high probability. 


This gives us the piece of the p-torsion defined over 
F,. To find the piece of the p-torsion defined over Fy2 
we repeat the above process over F,2. To carry out 
this process we need to know the number of points 
on (Fr). If E is defined over a finite field A, then 
the number of points on F& over any extension of K is 
determined by #E(Kx) ([Sil86, p. 136]). Specifically, 
#E(Fe) = 2 +1- a? —@’, where a,@ are the two 
roots (in C) of the equation 


¢? —2po + £=0. 
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APPENDIX A. AN EXAMPLE 


The example provided here was produced using the 
computer algebra package MAGMA [BC03]. For this 
example we take D = —4. For any prime p, a suit- 
able prime @ is one that satisfies 40 = 4p? + 4y? such 


that € = —1 mod p. The congruence implies that 


y? =—1 mod », in other words —1 should be a qua- 


dratic residue modulo p. This in turn implies that 
p=1 mod 4, and that values of y that we need to 
search should be congruent to one of the square roots 
of —1 mod p. 


Let p =  2633001836857174220657463256606550 
8402231508999153. We search for prime values of 
p? + y* with 
2061101991512560361037002732224640 
4729378417721286 mod p, or 
5718998453446138596204605243819103 
672853091277867 mod p 
corresponding to the two square roots of —1 mod p. 
We find that 
y =1875150302622039835263003517434470 
200231290230217730 


yields a prime, so we take 
€ =p? + (1875150302622039835263003517434470200 
231290230217730)? 
= 351688192729081689963486221568344816704455 


675519621991572654792860046102641340797974 
7354244426961070309. 


The complex multiplication method tells us that the 
elliptic curve 

E:y? =a? 42 (in affine form) 
is a suitable elliptic curve. MAGMA tells us that 
#E (Fe) is 


351688192729081689963486221568344816704455675519 
621986306651119145697661326414284761633743996394 


3072004, 


which is indeed = 0 mod p. This computation took 
0.063 seconds on an AMD Opteron 252 (2.6Ghz) pro- 
cessor. The number of points on E(Fyz) according to 
MAGMA is 


123684584905047 707258686 141200578231465582664681 
8745936 12259486008465018014484601426538373930078 
429096341769913557802164349311875508547262692347 
038857763841422688694938944680813194533367728120 
36965744626464 


and this is = 0 mod p?, which is a necessary condi- 
tion for E[p] being a subgroup of E(F,2). We show 
that E[p] is indeed contained in E(Fy2) by finding two 


Q = (170343693342782875614389009934880452 
275069084044323551866473740367532495756 
4303078396992524604785250333u + 15712887 
4698661854995016811716722095152507760097 
7567312986377817436996986291386148589353 
156799909434396, 293262979414624776596432 
4029396184318939075174280958297655205533 
26321029472565240814005665686795414190u 
+ 28272291365284541630011849371574061637 
9521916237377189328124466481421733687054 
16653836715431228856385081). 


Here wu is a variable that gives the isomorphism Fy2 = 


points that generate the p-torsion subgroup. Follow- F,[u]/(f(u)) for a quadratic irreducible f € Fy[ul. 
ing the method outlined in 85.2 we find two p-torsion Phe Weil pairing of P and Q is 


points, P and Q, that generate the whole p-torsion of 
E(Fr) 

P = (2767010499835095322341063384520824402 
92711762773463732533683876759414814860205 
83308437632397697 22154862, 736895619074862 
87044199326042836330921234195270061999902 
01373312978349862216019407508187132975485 
11336) 
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e,(P, Q) = 1880361802998353725465339038203546 
2993205409477769908010460376604157793 
59581593172656075406185808275672u + 3 
1284655683961117025378938265048897550 
5407147891209527580710819940254935617 
1889616725860797979581965315. 


Since e,(P,Q) 4 1, the points P and Q do indeed 
generate E[p]. 


